Hi
i am trying to start an ldap connection over SSL
my code goes like this.
ldap_init(host,LDAPS_PORT); ldap_set_option()
ldap_start_tls_s(handle,null,null);
when i call the ldap_start_tls_s() i get an error saying tat it cant contact the ldap server.
can u please tell me wat all options to set before i start the tls connection.
i have the CA certificate and the server certificate. Can you tell me which certificate should i use in the code.
Thanks and Regards Prasanth
On Tue, 1 Jul 2008, prasanth allada wrote:
i am trying to start an ldap connection over SSL
my code goes like this.
ldap_init(host,LDAPS_PORT); ldap_set_option() ldap_start_tls_s(handle,null,null);
when i call the ldap_start_tls_s() i get an error saying tat it cant contact the ldap server.
Right, because ldap_start_tls_s() performs the LDAP start TLS operation, but for ldaps the client is supposed to simply negotiate TLS/SSL upon connection, without sending an LDAP operation first.
The Right Thing is to stop using ldap_init() and instead use ldap_initialize(), passing it an URI of "ldaps://hostname".
(Note that it'll automatically use port 636 when the URI schema is "ldaps", just as it'll automatically use port 389 when the schema is "ldap".)
i have the CA certificate and the server certificate. Can you tell me which certificate should i use in the code.
The client only needs the CA certificate. Set the LDAP_OPT_X_TLS_CACERTFILE option to the path to the PEM file, or set the LDAP_OPT_X_TLS_CACERTDIR option to a directory holding the PEM file with hashed paths. (Check out the docs for SSL_CTX_load_verify_locations() for the details of the hashing.)
Note that in versions before 2.4.0, those are *global* options: ldap_set_option() *must* be passed a NULL LDAP handle when setting them. As of 2.4.0 they're per-LDAP-handle only and must be set on each handle you create.
Philip Guenther
i used ldap_initialize and tried initializing the connection using the CA certificate. i still am getting the same error.
the following is the code tat i compiled.. can anyone tell me where i am going wrong in the piece of code. I am able to connect to the ldap server using jxplorer on port 636
#include "ldap.h" main() { int returncode; char *host="155.35.5.215"; int port = 636; const char *user = "uid=administrator,dc=prasanth,dc=com"; const char *passwd = "notallowed";
LDAPMessage *result; char *base = "DC=prasanth,DC=com"; LDAP *handle;
// initialize the handle
if((returncode=ldap_initialize(&handle,"ldaps://155.35.5.215 "))!=LDAP_SUCCESS) { printf("LDAP initialization failed %d %s\n",returncode,ldap_err2string(returncode)); return; } else { printf("LDAP initialization successful\n"); }
//set the options for SSL certificate connection
int ldap_version = LDAP_VERSION3;
if((returncode=ldap_set_option(handle,LDAP_OPT_PROTOCOL_VERSION,&ldap_version))!=LDAP_SUCCESS) { printf("error while setting ldap version\n"); }
if((returncode=ldap_set_option(handle,LDAP_OPT_REFERRALS,LDAP_OPT_OFF))!=LDAP_SUCCESS) { printf("error disabling referrals\n"); }
int sslmode = LDAP_OPT_X_TLS_HARD ;
if((returncode=ldap_set_option(handle,LDAP_OPT_X_TLS,&sslmode))!=LDAP_SUCCESS) { printf("error setting tls option to hard\n"); }
int cert = LDAP_OPT_X_TLS_DEMAND;
if((returncode=ldap_set_option(0,LDAP_OPT_X_TLS_REQUIRE_CERT,&cert))!=LDAP_SUCCESS) { printf("error setting require cert option\n"); }
if((returncode=ldap_set_option(0,LDAP_OPT_X_TLS_CACERTFILE,"/root/certs/CAcert.pem"))!=LDAP_SUCCESS) { printf("error setting CA certificate\n"); }
if((returncode=ldap_start_tls_s(handle,0,0))!=LDAP_OPT_SUCCESS) { printf("TLS START FAILED\n"); } printf("%d %s\n",returncode,ldap_err2string(returncode));
On Wed, Jul 2, 2008 at 12:52 AM, Philip Guenther < guenther+ldapsoft@sendmail.com guenther%2Bldapsoft@sendmail.com> wrote:
On Tue, 1 Jul 2008, prasanth allada wrote:
i am trying to start an ldap connection over SSL
my code goes like this.
ldap_init(host,LDAPS_PORT); ldap_set_option() ldap_start_tls_s(handle,null,null);
when i call the ldap_start_tls_s() i get an error saying tat it cant contact the ldap server.
Right, because ldap_start_tls_s() performs the LDAP start TLS operation, but for ldaps the client is supposed to simply negotiate TLS/SSL upon connection, without sending an LDAP operation first.
The Right Thing is to stop using ldap_init() and instead use ldap_initialize(), passing it an URI of "ldaps://hostname".
(Note that it'll automatically use port 636 when the URI schema is "ldaps", just as it'll automatically use port 389 when the schema is "ldap".)
i have the CA certificate and the server certificate.
Can you tell me which certificate should i use in the code.
The client only needs the CA certificate. Set the LDAP_OPT_X_TLS_CACERTFILE option to the path to the PEM file, or set the LDAP_OPT_X_TLS_CACERTDIR option to a directory holding the PEM file with hashed paths. (Check out the docs for SSL_CTX_load_verify_locations() for the details of the hashing.)
Note that in versions before 2.4.0, those are *global* options: ldap_set_option() *must* be passed a NULL LDAP handle when setting them. As of 2.4.0 they're per-LDAP-handle only and must be set on each handle you create.
Philip Guenther
On Wed, 2 Jul 2008, prasanth allada wrote:
i used ldap_initialize and tried initializing the connection using the CA certificate. i still am getting the same error.
Uh huh. I wrote:
Right, because ldap_start_tls_s() performs the LDAP start TLS operation, but for ldaps the client is supposed to simply negotiate TLS/SSL upon connection, without sending an LDAP operation first.
I.e., don't use ldap_start_tls_s() with an "ldaps" URI! Simply remove that call from your code. SSL will automatically be negotiated when the connection is actually opened.
Philip Guenther
openldap-software@openldap.org
-
Philip Guenther -
prasanth allada